Table of Contents

• SSH Basics
• Authentication Methods
• Key Management
• Remote Command Execution
• File Transfers
• Advanced Techniques
• Troubleshooting
• Security Best Practices

SSH Basics

SSH lets you securely connect to remote servers, execute commands, and transfer files over encrypted connections.

Basic Connection Syntax

ssh [options] [user@]hostname
ssh user@192.168.1.100
ssh root@example.com

The default SSH port is 22, but servers often use custom ports for security.

Full TIL: SSH Connection Basics: Password, Keys, and Parameters

Authentication Methods

SSH supports two primary authentication methods:

1. Password Authentication

The simplest method—SSH prompts for password each time:

ssh user@hostname
# Prompted for password

Drawbacks:

• Requires typing password repeatedly
• Vulnerable to brute-force attacks
• Poor for automation and scripts

2. Key-Based Authentication (Recommended)

Uses cryptographic key pairs instead of passwords. Much more secure and convenient.

ssh -i ~/.ssh/id_ed25519 user@hostname

Benefits:

• ✅ No password to remember
• ✅ Can’t be brute-forced
• ✅ Perfect for scripts and automation
• ✅ Passphrase-protected keys for extra security

Full TIL: SSH Connection Basics

Key Management

Generating SSH Keys

Modern best practice: use Ed25519 keys (faster, smaller, more secure than RSA):

ssh-keygen -t ed25519 -C "your-email@example.com"
# Or traditional RSA:
ssh-keygen -t rsa -b 4096

Creates two files:

• ~/.ssh/id_ed25519 — Private key (keep secret, chmod 600)
• ~/.ssh/id_ed25519.pub — Public key (share with servers)

Using Specific Keys

By default SSH uses keys from ~/.ssh/. To use a specific key:

ssh -i /path/to/private/key user@hostname
ssh -i ~/.ssh/custom_key -p 2222 user@hostname

SSH Agent: Never Type Your Passphrase Again

SSH agent stores decrypted keys in memory, so you enter your passphrase once per session instead of per connection.

# Start the agent (usually automatic)
eval "$(ssh-agent -s)"

# Add your key (prompts for passphrase once)
ssh-add ~/.ssh/id_ed25519

# Now use SSH without typing passphrase
ssh user@hostname  # No passphrase needed!

Useful agent commands:

ssh-add -l            # List loaded keys
ssh-add -d ~/.ssh/id  # Remove specific key
ssh-add -D            # Remove all keys

Full TIL: Using SSH Agent to Manage Keys

Remote Command Execution

Run commands on remote servers without opening an interactive shell:

ssh user@hostname "command"
ssh user@hostname "ls -la /tmp"
ssh user@hostname "whoami"

Multiple Commands

# Using && (only runs next if previous succeeds)
ssh user@hostname "cd /tmp && ls -la"

# Using ; (runs regardless)
ssh user@hostname "uptime; df -h"

# Multi-line script
ssh user@hostname << 'EOF'
cd /tmp
ls -la
whoami
EOF

Capturing Output

ssh user@hostname "ls -la /tmp" > local-file.txt
ssh user@hostname "cat /var/log/syslog" | grep "error" | wc -l

Useful Patterns

# Check if service is running
ssh user@hostname "systemctl is-active nginx"

# Run with sudo (prompts for password)
ssh user@hostname "sudo systemctl restart nginx"

# Execute local script on remote server
ssh user@hostname < local-script.sh

# Background task
ssh user@hostname "nohup long-task > output.log 2>&1 &"

Full TIL: Executing Remote Commands with SSH

File Transfers

SCP: Simple File Copy

SCP is straightforward for one-off transfers:

# Local to remote
scp ./file.txt user@hostname:/path/to/remote/

# Remote to local
scp user@hostname:/path/to/file.txt ./local-folder/

# With custom port and key
scp -i ~/.ssh/key -P 2222 ./file.txt user@hostname:/path/

Best for:

• Quick, small file transfers
• Simple one-time operations

Full TIL: Using SCP for File Transfers

RSYNC: Smart Synchronization

RSYNC transfers only changed parts and can resume interrupted transfers:

# Local to remote
rsync -avz ./folder/ user@hostname:/path/to/remote/

# Remote to local
rsync -avz user@hostname:/path/to/folder/ ./local-folder/

# Single file
rsync -avz ./file.txt user@hostname:/path/

Common options:

Best for:

• Large backups
• Repeated syncs
• Resumable transfers

Full TIL: Using RSYNC for File Transfers

SCP vs RSYNC

Advanced Techniques

Port Forwarding

Local port forwarding — Access remote service through local port:

ssh -L 8080:localhost:3000 user@hostname -N -f
# Now: localhost:8080 → remote:3000
curl localhost:8080  # Accesses remote service

Remote port forwarding — Expose local service to remote network:

ssh -R 8080:localhost:3000 user@hostname -N -f
# Remote can access: localhost:8080 → your local:3000

Custom SSH Config

Create ~/.ssh/config for easier, personalized connections:

Host production
    Hostname example.com
    User deploy
    Port 2222
    IdentityFile ~/.ssh/production_key
    ServerAliveInterval 60
    LogLevel QUIET

Host github
    Hostname github.com
    User git
    IdentityFile ~/.ssh/github_key

Now use short names:

ssh production
ssh github  # For git operations

ProxyJump: Jump Through Bastion Host

Connect through a bastion/jump host:

ssh -J bastion@jump-host internal@internal-server
# Or in ~/.ssh/config
Host internal-server
    Hostname 10.0.1.5
    ProxyJump jump-host

Quiet Mode

Suppress banners and diagnostic messages:

ssh -q user@hostname
ssh -q user@hostname "command"

Full TIL: SSH Connection Without Welcome Message

Troubleshooting

Host Key Changed Warning

If you see this warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This happens after server rebuilds or IP changes. Remove the old key:

ssh-keygen -R hostname.com
# Then reconnect
ssh user@hostname.com

Full TIL: Fix REMOTE HOST IDENTIFICATION HAS CHANGED

Debug Connection Issues

ssh -v user@hostname          # Verbose output
ssh -vv user@hostname         # More verbose
ssh -vvv user@hostname        # Maximum debug info

Common Issues

Permission Denied:

• Check key file permissions: chmod 600 ~/.ssh/id_ed25519
• Verify server authorized_keys contains your public key

Connection Timeout:

• Check if port is correct: ssh -p port ...
• Verify firewall allows SSH traffic
• Test connectivity: nc -zv hostname port

Wrong Key Being Used:

• Explicitly specify: ssh -i /path/to/key ...
• List available keys: ssh-add -l

Security Best Practices

1. Use Key-Based Authentication

Never rely on passwords for SSH. Keys are exponentially more secure.

2. Protect Your Private Keys

# Ensure proper permissions
chmod 600 ~/.ssh/id_*

# Use passphrase-protected keys
ssh-keygen -p -f ~/.ssh/id_ed25519  # Change passphrase

3. Use Ed25519 Keys (Not RSA)

• ✅ Ed25519: Faster, smaller, newer, more secure
• ⚠️ RSA: Still secure, but older (use 4096-bit minimum)

ssh-keygen -t ed25519 -C "your-email@example.com"

4. Limit SSH Access on Servers

Edit /etc/ssh/sshd_config on your servers:

# Disable password auth
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Change default port (security through obscurity is weak, but helps)
Port 2222

# Limit login attempts
MaxAuthTries 3
MaxSessions 10

Restart SSH: sudo systemctl restart ssh or sudo systemctl restart sshd

5. Use SSH Agent Instead of Unencrypted Keys

Never use SSH keys without passphrases. Let SSH agent handle the passphrase.

6. Monitor SSH Activity

# View recent SSH attempts
grep "sshd" /var/log/auth.log | tail -20

# See who's currently connected
who
w

# Check SSH public keys authorized on this system
cat ~/.ssh/authorized_keys

7. Rotate SSH Keys Periodically

Even with secure keys, rotate them every 1-2 years as a best practice.

Summary

SSH is powerful, but only when used correctly. Key takeaways:

1. Always use key-based auth never trust passwords for SSH
2. Use Ed25519 keys they’re faster, smaller, and more secure
3. Protect your private keys with passphrases
4. Use SSH agent for convenience without sacrificing security
5. Keep your ~/.ssh directory private (chmod 700 ~/.ssh)
6. Monitor SSH access on your servers regularly

Learning Resources

All the TILs referenced in this post (concise, focused guides):

• SSH Connection Basics — password, keys, parameters
• SSH Agent — key management
• Remote Command Execution — running commands
• SCP Transfers — simple file copy
• RSYNC Transfers — smart synchronization
• Fixing Host Key Warnings
• Quiet Mode

Future Topics

Topics I plan to learn and add later:

• Host key verification and strict host checking
• Copying public keys with ssh-copy-id
• Advanced SSH config patterns (IdentitiesOnly, Include, multiple keys)
• Connection multiplexing (ControlMaster, ControlPath, ControlPersist)
• Agent forwarding and security implications
• Keepalive tuning (ServerAliveInterval, ServerAliveCountMax)
• Automation-focused flags (BatchMode, robust timeout handling)
• Server hardening extras (AllowUsers, Fail2ban, firewall rules)
• Hardware-backed SSH keys (ed25519-sk, ecdsa-sk)

Next Steps

• Review your SSH setup: Check your keys and permissions
• Configure SSH config: Create ~/.ssh/config for frequently used hosts
• Audit server access: Review who has SSH keys on your servers
• Run SSH agent on startup: Add to your shell profile for seamless key management

This post documents what happened, how I recovered, and what I changed so it does not happen again.

What happened

• I enabled Fail2ban protection not only for SSH, but also for Traefik access logs.
• During testing, I hit multiple blocked/scanner-like URLs and authentication flows while Traefik + Authentik were in front.
• My custom Traefik jail treated those requests as malicious behavior and banned my current public IP.
• Because that was my admin IP at the time, I effectively locked myself out.
• SSH stopped working from my machine, so I could not log in normally.

At that point, I only had one way in: provider-side remote console shell.

Symptoms I saw

• SSH connection attempts timed out or failed immediately.
• Repeated prompts with no successful login.
• Fail2ban service was running, but I was effectively blocked.

Commands that helped verify from console:

sudo fail2ban-client status
sudo fail2ban-client status sshd
# Check your custom proxy/auth jails by name
sudo fail2ban-client status <proxy_or_auth_jail>
sudo iptables -S | grep f2b

If your distro uses nftables, inspect rules there instead:

sudo nft list ruleset | grep -i f2b

How I recovered access

I logged in via my cloud provider’s emergency/serial console, then:

# Check active jails and banned IPs
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client status <proxy_or_auth_jail>

# Fastest recovery: unban from all jails at once
sudo fail2ban-client unban <MY_PUBLIC_IP>

# If needed, unban per jail
sudo fail2ban-client set sshd unbanip <MY_PUBLIC_IP>
sudo fail2ban-client set <proxy_or_auth_jail> unbanip <MY_PUBLIC_IP>

After unbanning, SSH access worked again from my machine.

The configuration mistakes

The root issue was not Fail2ban itself. It was my configuration:

• Aggressive or test-phase ban settings while still validating proxy/auth behavior.
• No safe allowlist for trusted admin IP(s).
• Not validating each jail’s filter behavior against real traffic before hardening.

With reverse proxy/auth setups (Traefik + Authentik), you can generate noisy 401/403/404 patterns while testing. If your scanner/auth jails are strict, self-ban becomes very easy.

Safer configuration I use now

I moved to explicit, safer defaults and made non-SSH jail thresholds less trigger-happy while testing.

/etc/fail2ban/jail.local:

[DEFAULT]
# Always keep your trusted admin/VPN IPs here.
ignoreip = 127.0.0.1/8 ::1 <MY_PUBLIC_IP> <VPN_IP>
bantime = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port = ssh
backend = systemd
logpath = /var/log/auth.log

/etc/fail2ban/jail.d/custom-proxy.conf (example):

[custom-proxy-jail]
enabled = true
port = http,https
filter = <custom_filter_name>
logpath = <proxy_access_log_path>
maxretry = <tuned_value>
findtime = <tuned_window>
bantime = <tuned_duration>
action = iptables-multiport[name=custom-proxy-jail, port="80,443"]

For RHEL-like systems, use /var/log/secure for logpath.

Then apply and re-check:

sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Extra safety practices

Before changing ban rules now, I do this checklist:

1. Keep provider console access ready (do not skip this).
2. Confirm ignoreip contains at least one trusted path back in.
3. Test from a different IP/session before closing active shell.
4. Tighten settings gradually, not all at once.
5. Monitor jails after each config change.

Practical rollback if locked out again

From provider console:

# Temporary emergency disable
sudo systemctl stop fail2ban

# Or unban from all jails in one command
sudo fail2ban-client unban <MY_PUBLIC_IP>

# Or only unban specific jails
sudo fail2ban-client set sshd unbanip <MY_PUBLIC_IP>
sudo fail2ban-client set <proxy_or_auth_jail> unbanip <MY_PUBLIC_IP>

# Fix config
sudo editor /etc/fail2ban/jail.local

# Start again and verify
sudo systemctl start fail2ban
sudo fail2ban-client status sshd
sudo fail2ban-client status <proxy_or_auth_jail>

Lessons learned

• Fail2ban is effective, but easy to misconfigure when hardening quickly.
• Reverse proxy + SSO testing can look like scanner behavior to Fail2ban filters.
• Always keep an out-of-band recovery path (provider console).
• Add trusted IPs before tightening bans.
• Keep an unban workflow/script ready before enabling stricter jails.

Related TIL

• Fail2ban for SSH

Final takeaway

Security controls should protect you from attackers, not block you from your own server.

Fail2ban is still worth using, but deploy it like a production change: safe defaults, staged tuning, and a guaranteed recovery path.

It was the game.

For years, when people asked what I played, my answer was simple:

I only play one game: Destiny 2.

That is exactly why I feel qualified to say this: Bungie killed its golden goose.

This is not a neutral post. It is a goodbye letter from a player who gave Destiny 2 years of time, loyalty, money, and patience. And the reason I am done is not just that the game changed.

It is that Bungie changed.

From Passion Project to Extraction Machine

There was a time when Bungie seemed to genuinely care about its players. The game had problems, sure, but there was still a sense that the developers wanted to build something special and lasting. There was a soul there. You could feel it in the world design, in the raids, in the gunplay, in the music, and in the moments where the game actually respected your time.

But as the years went on, that version of Bungie got buried under corporate thinking, monetization layers, and cynical live-service decision-making. What started as a beloved shared-world shooter slowly turned into a machine built to extract more money while giving less back.

And that shift did not happen by accident. It happened step by step, update by update, expansion by expansion, excuse by excuse.

They Blamed Activision, Then Proved They Were the Problem

For a long time, a lot of the player base blamed Activision for everything wrong with Destiny. The aggressive monetization, the business-first design, the compromises, the artificial grind: people assumed that was all Activision’s influence.

Then Bungie split from Activision.

That should have been the moment everything improved. If Activision had truly been the source of the rot, Bungie’s independence should have led to a more honest, more player-friendly Destiny. Instead, many of the worst decisions either stayed, intensified, or evolved into something even more shameless.

That is why I believe Bungie used Activision as cover. They let players believe the publisher was holding them back, and once the publisher was gone, the same patterns remained. Same monetization instincts. Same manipulative design. Same disrespect for players’ time and money.

That excuse died the moment Bungie stood on its own and kept doing the same thing.

Destiny Became Microtransaction Hell

This is where the betrayal became impossible to ignore.

Destiny 2 stopped feeling like one premium hobby and started feeling like a game designed around toll booths. Everything became segmented, monetized, and repackaged.

You do not just buy an expansion anymore. You buy the DLC. Then the season. Then the dungeon. Then the cosmetics. Then the event pass. Then the transmog shortcuts. Then whatever other Silver-based nonsense they have cooked up.

At some point it became absurd. A major expansion package can cost close to 100€, and somehow that still does not feel like the full product. You are still expected to keep paying on top of that. For a game that already charges premium expansion prices, this level of layered monetization is indefensible.

They turned Destiny 2 into a storefront disguised as a live-service game.

The “Train Station” Mindset Said Everything

What makes this worse is that Bungie has openly revealed the mindset behind all of this.

At a developer conference, Bungie used the analogy that they were not just building a train, they were building a train station: a system designed to keep the live-service machine going. Another Bungie presentation included the now infamous idea that “overdelivery” is dangerous, because if you give players too much, they will expect that level again.

That explains so much.

For years, players felt like Bungie was deliberately holding back, stretching content, rationing quality, and constantly managing expectations downward. We were told not to expect too much. We were trained to celebrate the return of things that should never have left. We were conditioned to accept less and call it sustainability.

That “train station” mentality is exactly how Destiny 2 started to feel: not like a world built for players, but like an infrastructure built to keep extracting engagement and money.

They Sold Power First, Then Balanced It Later

One of the most toxic patterns in Destiny 2 has been the repeated release of overtuned abilities, subclasses, and weapons that just happen to be tied to paid content, only for them to get nerfed later after enough people have bought in.

Maybe Bungie would call that a balancing issue. Maybe they would say live-service tuning is complicated. Fine. But players are not stupid. When the newest paid content repeatedly launches too strong and only gets brought back in line after the purchases have gone through, people notice.

Stasis was one of the biggest examples. There have been others. New exotics, subclass interactions, artifact perks, seasonal weapon dominance: again and again, Bungie created the impression that buying in early meant getting access to the strongest toys before the inevitable tuning pass.

Even when intent cannot be proven, the pattern destroys trust. And once trust is gone, every “oops, this launched too strong” starts sounding less like a mistake and more like a business tactic.

Sunsetting Was a Betrayal of Player Time

Sunsetting was one of the worst decisions Bungie ever made.

Players spent years grinding for god rolls, perfect builds, masterworked gear, and weapons tied to difficult content. Then Bungie basically told us that huge portions of that loot would be left behind, invalidated, or made irrelevant in power-enabled content.

The official excuse was sandbox health, power creep, and making room for new rewards. But to many of us, it looked like a lazy, brute-force solution to weapons Bungie could not properly balance. Instead of dealing with their own design problems intelligently, they chose to devalue years of player investment.

That is the kind of decision that permanently damages a game’s relationship with its most loyal community. And the fact that Bungie later walked back major parts of that philosophy only made the original decision look even more indefensible.

They wasted players’ time, then quietly admitted the backlash was justified.

Vaulting Paid Content Crossed the Line

Sunsetting was bad. Vaulting was worse.

Bungie removed entire destinations, campaigns, and DLC content from a game people had already paid for. Not metaphorically. Literally. Content was bought, then taken away. Expansions and planets that were part of the product disappeared into the so-called vault.

That should have been unacceptable from day one.

It sent a horrible message: in Destiny 2, your purchases are temporary, but Bungie’s right to keep selling you new things is permanent.

And then, to make it even worse, Bungie spent years pulling old ideas, locations, weapons, and activities back out of the vault, repainting or reskinning them, and selling nostalgia back to the same player base that had already paid once. That is not clever live-service content management. That is recycling old value after deleting it and pretending it is generosity when it returns.

The DLCs I bought are not even there anymore. That alone tells you everything you need to know.

Lightfall Felt Like Filler, Not a Real Expansion

After The Witch Queen, expectations were high. Bungie had proven they could still deliver something focused, meaningful, and high quality when they wanted to.

Then came Lightfall.

To me, Lightfall was not a proper chapter in Destiny’s saga. It was filler. It felt like an expansion created to stretch the roadmap, buy time, and squeeze more money out of a player base that was already deeply invested and emotionally locked in.

The story felt disconnected. The tone felt off. The pacing was strange. The stakes were supposedly massive, yet so much of it felt hollow and half-baked. Instead of feeling like the natural next step, it felt like a detour that existed because Bungie needed another stopgap release before getting to the actual conclusion.

It did not fit properly because it was never built with the same integrity as the expansions around it. It felt like padding.

Strand Should Have Been in The Witch Queen

I do not care how many times Bungie denies it: I still believe Strand was originally meant to be part of The Witch Queen.

There are too many clues. The visual language fits. The themes line up. The psychic, thread-like, reality-bending nature of Strand feels like it belongs far more naturally with Savathun, Deepsight, unraveling hidden truths, and the mystery-heavy tone of The Witch Queen than with the neon chaos of Lightfall.

To me, Strand being moved out and Lightfall being stretched into its own expansion looks like a deliberate attempt to split content apart and monetize it separately.

Maybe Bungie says otherwise. That is their line. I do not buy it.

Players are not crazy for looking at the timeline and concluding that Lightfall existed to squeeze out one more big expansion sale.

They Kept Adding Friction Everywhere

Beyond the flashy controversies, Bungie also spent years slowly choking the game with friction.

Too many currencies. Too many systems. Too many rotating passes. Too many convoluted purchase models. Too many layers between the player and the content they actually want to play.

The onboarding for new players remained awful. Ritual content stagnated. Important systems were constantly reworked, often without truly improving the core experience. Veteran players had to keep re-learning systems that did not need to be this messy in the first place, while new players were thrown into a confusing maze.

It increasingly felt like Bungie was designing around monetization, engagement metrics, and retention loops first, and fun second.

Vault Space Was Another Obvious Lie

And yes, I am going to say it plainly: the excuses about vault space never sat right with me.

As a developer myself, Bungie’s logic around storage always sounded like bullshit. For years players were told, directly or indirectly, that vault limitations were technical, difficult, or necessary. Meanwhile the game kept vomiting out more guns, more armor, more perks, more crafted variations, more curated rolls, more event items, and more reasons to hold onto gear.

The numbers simply did not match the reality of how they designed the loot game.

Players kept asking for meaningful vault improvements while Bungie kept acting like this was some impossible engineering mountain. Meanwhile their CEO was out buying supercars and the people keeping the game alive were still being told to juggle inventories in a loot-based MMO-lite built entirely around collecting things.

That is why so many players stopped believing them. Not because storage is magic, but because the excuses always seemed to appear when the requested quality-of-life improvement did not directly generate revenue.

Bungie Neglected Destiny While Chasing Marathon

This is another reason the bitterness runs so deep.

For years, Destiny players supported Bungie through all the ups and downs. We kept the lights on. We bought the expansions. We bought the seasons. We tolerated the monetization. We stuck around through the dry spells. We defended the game to others. We gave them loyalty most studios would kill for.

And what did Bungie do with that support?

They used Destiny as a money-printing machine while shifting focus toward Marathon.

Instead of reinvesting enough of that money into strengthening Destiny, improving the core game, respecting longtime players, and building a healthier future for the franchise that fed them for years, they seemed more interested in funding the next project.

So yes, I will say it openly: it makes me happy that Marathon is not doing well.

That may sound harsh, but after watching Bungie milk Destiny while treating it more and more like a revenue source rather than a world worth protecting, I do not have sympathy left. They used their golden goose to fund a new dream, and they damaged the old one in the process.

Even Basic Respect for Artists Became a Problem

For a studio that is treated like AAA royalty, Bungie has repeatedly embarrassed itself with incidents involving stolen or unauthorized art and concepts.

That matters.

Because this is not just about bugs, balancing mistakes, or bad monetization. It is about professionalism and ethics. When a studio keeps ending up in situations where indie artists’ work appears to have been used without proper credit, permission, or compensation, it reinforces the image of a company that feels entitled to take from smaller creators while hiding behind corporate statements afterward.

That kind of behavior fits the broader pattern: exploit value wherever possible, apologize when caught, and move on.

For a company of Bungie’s size and status, that is pathetic.

Bungie Is Called AAA, but Too Often They Act Lazy

Yes, Bungie is recognized as a AAA studio. But from the player side, too often they do not act like one.

A real top-tier studio does not repeatedly hide behind weak excuses, recycle old content as new value, remove paid content, drag out basic quality-of-life improvements, ship half-baked expansions, and constantly push monetization deeper into every corner of the game while asking for patience and trust.

A real AAA studio does not treat loyalty like something to be farmed.

Too often Bungie has felt less like a world-class developer and more like a studio coasting on old reputation, excellent gunplay, and the emotional investment of a trapped player base.

The Portal Was the Final Straw for Me

Recently they added the Portal, and honestly: what the hell even is that?

I only used to play Grandmaster Nightfalls. That was my thing. That was the part of the game I cared about most. That was the content loop I kept coming back for. I did not need some abstracted “portal” structure or whatever new activity framework Bungie wants players to funnel through.

And now Grandmaster Nightfalls, as they used to exist in the way I cared about them, are effectively gone or absorbed into a system I have no interest in engaging with.

I do not have time for their Portal bullshit.

I do not want another layer. I do not want another UI experiment. I do not want another system designed to repackage activities into a new engagement funnel. I wanted to log in and play the hardest PvE content in the game the way I had for years.

That was enough for me. Bungie removed the thing I loved and replaced it with something that feels like corporate product design.

That was my breaking point.

This Is Not Coming From a Casual Player

And that matters.

I am not writing this as someone who dipped in for a few expansions and got bored. I am not writing this as someone who watched a few YouTube videos and decided to pile on. I am writing this as someone who lived in this game.

Over seven years.
Over 1,000 Grandmaster clears.
Roughly 70% of them solo.
A full vault.
Full characters.
Masterworked gear everywhere.
70,000 cores.
Ascendant shards stacked in the postmaster.
Top-tier commitment.
Top Stadia player.
One-game player.

I know what Destiny 2 was. I know what it became. And I know what it feels like when a game you truly loved stops respecting the people who kept it alive.

So yes, I have earned the right to say this.

The Player Counts Tell Their Own Story

When I see the Destiny 2 player counts now, I do not feel shocked anymore. I feel validated.

It makes me happy that so many people have moved on. Not because I wanted Destiny to die, but because I wanted players to stop falling for Bungie’s traps. For too long, this company relied on loyalty, habit, sunk cost, and emotional attachment to keep people paying into a system that was giving less and less back.

Seeing more players finally walk away tells me I was not imagining it. A lot of people saw the same thing. A lot of people got tired of being manipulated, monetized, and ignored.

That is not tragedy. That is clarity.

Bungie Killed Its Golden Goose

This is the saddest part of all.

Destiny 2 did not collapse because the gunplay stopped being incredible. It did not fail because the art team lost their talent. It did not fail because the core fantasy was weak. The foundation was always there. The potential was always there.

Bungie killed its golden goose because it kept choosing short-term monetization, player manipulation, and executive priorities over long-term trust.

They took one of the most mechanically satisfying shooters ever made and buried it under greed.
They took a loyal community and treated it like a resource to be mined.
They took years of player goodwill and burned through it for expansions, seasons, dungeon keys, recycled content, and a future that no longer seemed to care about the players who built that success in the first place.

Many hardcore Destiny players supported Bungie for years.

And Bungie betrayed everyone.

Goodbye, Destiny

It is enough for me.

I do not have the energy anymore to keep justifying Bungie’s decisions, hoping the next expansion fixes things, or pretending the pattern is not real. I do not want to get dragged into more systems, more monetization layers, more repackaged activities, more excuses, or more disappointment.

I would not give Bungie a single penny ever again.

And honestly, I do not think anyone else should either.

This is my goodbye, not just to a game, but to the illusion that Bungie still deserves the kind of loyalty players like me gave them for years.

We stayed.
We defended them.
We paid.
We grinded.
We believed.

And in the end, they played us.

Final Thought

We all played Destiny, but Bungie played us all.

Have you ever wondered if ChatGPT remembers things you’ve told it in previous conversations, even when you’ve disabled memory? I’ve been suspicious about this for quite some time, particularly regarding ChatGPT’s Projects feature. After conducting a systematic test, I discovered something concerning: ChatGPT is indeed sharing conversation context between separate chats within the same project, even when memory settings are explicitly turned off.

This investigation reveals a significant privacy implication that OpenAI doesn’t clearly communicate to users. Let me walk you through my findings.

The Discovery: Memory Sharing in Projects

Setting the Stage: Memory Disabled

Before conducting my test, I verified that my ChatGPT memory settings were completely disabled. This is crucial because it eliminates the obvious explanation for any information retention.

Memory settings clearly set to “Off”

The Experiment: Testing Information Persistence

Step 1: Initial Query in a Fresh Chat

I started by creating a new chat within a project and asking ChatGPT if it knew my belly size. As expected, it had no prior knowledge of this information.

ChatGPT correctly states it has no knowledge of personal information

Step 2: Sharing Personal Information in a New Chat

I then created a completely separate chat within the same project and shared personal information about my belly size. This was done to test if this information would somehow persist across different conversations.

Sharing personal information in a separate chat within the same project

Step 3: The Shocking Discovery

When I returned to the first chat and asked the same question again, ChatGPT suddenly “remembered” the information I had shared in the completely separate conversation!

ChatGPT now has knowledge it shouldn’t possess based on disabled memory settings

Confirming the Scope

Project-Specific Behavior

To understand the scope of this behavior, I verified that only two chats existed in my test project, confirming that the information sharing was contained within the project boundary.

Confirmation that only two chats existed in the test project

Testing Outside Projects

I conducted the same test in the main ChatGPT interface (outside of any project) and confirmed that this memory-sharing behavior does not occur in regular chats.

Regular chats outside projects don’t exhibit this behavior

The Contradiction: What ChatGPT Claims vs. Reality

ChatGPT’s Response to Direct Questioning

When directly asked about this behavior, ChatGPT denies saving or sharing information between chats within projects:

ChatGPT claims it doesn’t save or share information between chats

This creates a concerning contradiction between what ChatGPT claims about its behavior and what actually happens in practice.

Limited Documentation and Transparency

Scarce Official Information

The only reference I could find acknowledging this behavior was in a third-party article: OpenAI has upgraded ChatGPT’s Projects feature, and I find it makes working way more efficient

Missing from Official Documentation

Notably, OpenAI’s official website and documentation do not clearly explain this behavior. There are no settings to:

• Control memory sharing within projects
• Disable context sharing between chats in a project
• Manage privacy preferences for project-level information retention

Privacy Implications and Concerns

What This Means for Users

This discovery has several important implications:

1. Hidden Data Persistence: Information you share in one chat within a project persists across all other chats in that project, regardless of your memory settings.

2. Lack of User Control: There’s no clear way to disable this behavior or manage what information is shared within a project.

3. Documentation Gap: The behavior isn’t clearly documented, leaving users unaware of how their data is being handled.

4. False Sense of Privacy: Users who disable memory settings may believe their conversations are isolated, when they’re actually not within projects.

Potential Risks

• Unintended Information Disclosure: Sensitive information shared in one project chat becomes available in all other chats within that project
• Context Contamination: Previous conversations can influence AI responses in ways users don’t expect
• Privacy Confusion: Users may not understand the true scope of information retention

Recommendations

For Users

1. Be Aware: Understand that information shared in any chat within a ChatGPT project persists across all chats in that project
2. Project Hygiene: Consider creating separate projects for sensitive or unrelated topics
3. Regular Cleanup: Periodically review and clean up your ChatGPT projects
4. Verify Privacy Settings: Don’t rely solely on memory settings to control information persistence

For OpenAI

1. Improve Documentation: Clearly explain how Projects handle information sharing
2. Add User Controls: Provide settings to control context sharing within projects
3. Enhance Transparency: Be more explicit about data handling practices
4. Fix Contradictory Responses: Ensure ChatGPT accurately describes its own behavior

Conclusion

This investigation reveals a significant gap between user expectations and ChatGPT’s actual behavior within Projects. While the feature may be designed to improve workflow efficiency by maintaining context, the lack of clear documentation and user control raises important privacy concerns.

The most troubling aspect is the contradiction between what ChatGPT claims about its behavior and what actually happens. Users deserve clear, accurate information about how their data is being handled, especially when privacy settings suggest certain protections are in place.

Until OpenAI provides better transparency and user controls, it’s important for users to be aware of this behavior and take appropriate precautions when sharing sensitive information in ChatGPT Projects.

Have you noticed similar behavior in your ChatGPT usage? Share your experiences in the comments below.

This investigation was conducted on October 23, 2025, using ChatGPT’s Projects feature. Results may vary as OpenAI updates their platform.

Recently, I ran into this exact issue while building a tool to manage cloud instances. What seemed like simple counting logic turned into a debugging nightmare! In this post, I’ll walk you through the same scenario and show you how Go’s sync/atomic package saved the day.

Understanding the Problem

Imagine you’re building a cloud management tool that needs to update multiple server instances concurrently. You want to count how many instances were successfully updated. Here’s what the initial implementation might look like:

package main

import (
    "fmt"
    "time"
    "golang.org/x/sync/errgroup"
)

// Simulate updating an instance (for demonstration)
func updateInstance(instance string) error {
    // Simulate some work
    time.Sleep(10 * time.Millisecond)
    // Simulate occasional failures
    if instance == "instance-error" {
        return fmt.Errorf("failed to update %s", instance)
    }
    return nil
}

func updateInstances(instances []string) error {
    var wg errgroup.Group
    updatedCount := 0  // 🚨 This will cause problems!
    
    for _, instance := range instances {
        instance := instance // capture loop variable
        wg.Go(func() error {
            err := updateInstance(instance)
            if err == nil {
                updatedCount++  // ❌ RACE CONDITION!
            }
            return err
        })
    }
    
    if err := wg.Wait(); err != nil {
        return err
    }
    
    fmt.Printf("Successfully updated %d instances\n", updatedCount)
    return nil
}

This code looks reasonable, but it contains a subtle and dangerous bug. Can you spot it?

The “Aha!” Moment: Understanding Atomic Operations

The sync/atomic package provides atomic operations - think of them like transactions at an ATM. When you withdraw money, either the entire operation completes (your balance updates AND you get cash), or nothing happens at all. There’s no in-between state where the money disappears!

The Race Condition Explained

In our example above, we have a classic race condition. Let’s break down what’s happening:

The problematic code:

var wg errgroup.Group
updatedCount := 0  // Shared variable

for _, instance := range instances {
    wg.Go(func() error {
        // Multiple goroutines running concurrently
        err := updateInstance(instance)
        if err == nil {
            updatedCount++  // ❌ RACE CONDITION!
        }
        return err
    })
}

Why This is Dangerous

The problem lies in the innocent-looking line updatedCount++. This operation seems atomic, but it’s actually three separate operations at the CPU level:

1. Read the current value of updatedCount
2. Add 1 to that value
3. Write the new value back to updatedCount

The Race Condition in Action

Here’s what can happen when multiple goroutines execute this code simultaneously:

Timeline: Two goroutines (A and B) trying to increment updatedCount

Initial value: updatedCount = 5

Goroutine A: Read updatedCount (5)
Goroutine B: Read updatedCount (5)    // Still 5! B doesn't see A's changes yet
Goroutine A: Calculate 5 + 1 = 6
Goroutine B: Calculate 5 + 1 = 6      // Also calculating from 5!
Goroutine A: Write 6 back
Goroutine B: Write 6 back             // Overwrites A's work!

Final value: updatedCount = 6 (should be 7!)

Result: We lost one increment! If you had 100 successful updates, you might see anywhere from 1 to 100 as the final count, depending on the timing of the race conditions.

The Solution: Atomic Operations

Now let’s fix our code using atomic operations:

package main

import (
    "fmt"
    "sync/atomic"
    "time"
    "golang.org/x/sync/errgroup"
)

// Simulate updating an instance (for demonstration)
func updateInstance(instance string) error {
    // Simulate some work
    time.Sleep(10 * time.Millisecond)
    // Simulate occasional failures
    if instance == "instance-error" {
        return fmt.Errorf("failed to update %s", instance)
    }
    return nil
}

func updateInstancesSafely(instances []string) error {
    var wg errgroup.Group
    var updatedCount int64  // ✅ Must be int64 for atomic operations

    for _, instance := range instances {
        instance := instance // capture loop variable
        wg.Go(func() error {
            err := updateInstance(instance)
            if err == nil {
                atomic.AddInt64(&updatedCount, 1)  // ✅ THREAD-SAFE!
            }
            return err
        })
    }

    if err := wg.Wait(); err != nil {
        return err
    }

    // Read the final value atomically
    finalCount := atomic.LoadInt64(&updatedCount)
    fmt.Printf("Successfully updated %d instances\n", finalCount)
    return nil
}

Key Changes

1. Variable type: Changed from int to int64 (required for atomic operations)
2. Increment operation: updatedCount++ → atomic.AddInt64(&updatedCount, 1)
3. Reading the value: updatedCount → atomic.LoadInt64(&updatedCount)

How Atomic Operations Work

atomic.AddInt64(&updatedCount, 1)

This function provides several guarantees:

• Atomically adds 1 to the value at the specified memory address
• Cannot be interrupted by other goroutines or CPU context switches
• Hardware-level guarantee that the entire operation completes as a single unit
• Returns the new value after the addition (though we don’t use it in our example)
• Thread-safe across all CPU cores

atomic.LoadInt64(&updatedCount)

This function ensures safe reading:

• Atomically reads the complete value from memory
• Guarantees consistency - you’ll never see a partially updated value
• Prevents compiler optimizations that might cache stale values
• Provides memory synchronization with atomic writes

Why Atomic Operations Prevent Race Conditions

The magic of atomic operations lies in their indivisible nature:

1. Single CPU instruction: atomic.AddInt64 translates to a single CPU instruction that cannot be interrupted
2. Memory barriers: Atomic operations include memory synchronization, ensuring all CPU cores see consistent values
3. No lost updates: Multiple goroutines can safely increment the same counter simultaneously
4. Ordering guarantees: Atomic operations provide happens-before relationships for memory ordering

Benchmarking the Performance

I was curious about how fast these atomic operations really are, so I wrote a benchmark. The results blew my mind:

package main

import (
    "sync"
    "sync/atomic"
    "testing"
)

func BenchmarkAtomicCounter(b *testing.B) {
    var counter int64
    var wg sync.WaitGroup
    
    numGoroutines := 100
    incrementsPerGoroutine := b.N / numGoroutines
    
    for i := 0; i < numGoroutines; i++ {
        wg.Add(1)
        go func() {
            defer wg.Done()
            for j := 0; j < incrementsPerGoroutine; j++ {
                atomic.AddInt64(&counter, 1)
            }
        }()
    }
    
    wg.Wait()
    expected := int64(numGoroutines * incrementsPerGoroutine)
    if atomic.LoadInt64(&counter) != expected {
        b.Errorf("Counter mismatch: got %d, want %d", 
                 atomic.LoadInt64(&counter), expected)
    }
}

On my machine, this benchmark shows atomic operations can handle millions of concurrent increments per second with perfect accuracy. That’s faster than I ever expected!

Here are the actual results on my Apple M3 Pro:

goos: darwin
goarch: arm64
pkg: test
cpu: Apple M3 Pro
BenchmarkAtomicCounter-12    	47625759	        27.27 ns/op	       0 B/op	       0 allocs/op
PASS
ok  	test	2.313s

That’s 47.6 million operations in just over 2 seconds! Each atomic increment takes only 27 nanoseconds with zero memory allocations. To put this in perspective, that’s fast enough to handle the busiest web applications without breaking a sweat.

Alternative Solutions Compared

While atomic operations are perfect for our use case, it’s worth understanding the alternatives:

1. Mutex (More General, Heavier)

var mu sync.Mutex
var updatedCount int

// In each goroutine:
if err == nil {
    mu.Lock()
    updatedCount++
    mu.Unlock()
}

Pros:

• Works with any data type
• Can protect complex operations
• Familiar to developers from other languages

Cons:

• Higher overhead (OS-level synchronization)
• Risk of deadlocks with multiple mutexes
• Goroutines block waiting for the lock

2. Channel (The “Go Way”)

updateChan := make(chan struct{}, len(instances))

// In each goroutine:
if err == nil {
    updateChan <- struct{}{}
}

// After all goroutines complete:
close(updateChan)
updatedCount := 0
for range updateChan {
    updatedCount++
}

Pros:

• Idiomatic Go
• Natural backpressure with buffered channels
• Composable with select statements

Cons:

• More complex for simple counting
• Memory overhead for the channel buffer
• Requires careful channel management

3. Return Values and Sum

type result struct {
    success bool
    err     error
}

results := make([]result, len(instances))

for i, instance := range instances {
    i, instance := i, instance
    wg.Go(func() error {
        err := updateInstance(instance)
        results[i] = result{success: err == nil, err: err}
        return err
    })
}

// Count successes
updatedCount := 0
for _, r := range results {
    if r.success {
        updatedCount++
    }
}

Pros:

• No shared state, no synchronization needed
• Easy to collect additional information
• Functional programming style

Cons:

• Requires pre-allocated slice
• Memory usage grows with number of operations
• Less efficient for simple counting

When to Choose Atomic Operations

Choose sync/atomic when:

• ✅ Simple numeric operations: Counters, flags, sums
• ✅ High-performance requirements: Minimal overhead
• ✅ Lock-free algorithms: No blocking behavior needed
• ✅ Frequent updates: Many goroutines updating the same value

Avoid sync/atomic when:

• ❌ Complex data structures: Use mutexes instead
• ❌ Multiple related operations: Atomic operations are for single values
• ❌ Need transaction semantics: Use mutexes or channels for multi-step operations

Best Practices for Atomic Operations

1. Use the correct integer type: int32, int64, uint32, uint64, uintptr
2. Be consistent: Always use atomic operations for a variable, never mix with regular operations
3. Align memory: Use atomic.Value for complex types
4. Document clearly: Make it obvious that a variable requires atomic access

// Good: Clear documentation and consistent usage
type ServiceMetrics struct {
    // requestCount must be accessed using atomic operations only
    requestCount int64
    
    // errorCount must be accessed using atomic operations only  
    errorCount   int64
}

func (m *ServiceMetrics) IncrementRequests() {
    atomic.AddInt64(&m.requestCount, 1)
}

func (m *ServiceMetrics) GetRequestCount() int64 {
    return atomic.LoadInt64(&m.requestCount)
}

Conclusion

Race conditions are one of the most subtle and dangerous bugs in concurrent programming, but Go’s sync/atomic package provides an elegant solution for simple cases like counters and flags.

Key takeaways:

• Race conditions occur when multiple goroutines access shared data without proper synchronization
• Atomic operations provide lock-free, thread-safe access to simple data types
• Choose the right tool: Atomic for simple operations, mutexes for complex logic, channels for communication
• Performance matters: Atomic operations are typically the fastest synchronization mechanism
• Always be consistent: Once you choose atomic operations for a variable, use them everywhere

The next time you’re building concurrent Go applications, remember that a simple counter can hide complex race conditions. But with atomic operations, you can count on accurate results! 🏁

Further Reading

• Go atomic package documentation
• The Go Memory Model
• Effective Go - Concurrency

What’s your experience with race conditions in Go? Have you encountered subtle bugs that atomic operations helped solve? Share your stories in the comments below!

title: “Obsidian Notes Linker - Open Source Tool Released” category: Development tags:

• obsidian
• notes
• productivity
• open-source
• typescript
• electron header: image: /assets/images/posts/obsidian-notes-linker.png teaser: /assets/images/posts/obsidian-notes-linker.png comments: true toc_sticky: true excerpt: “Introducing Obsidian Notes Linker - an open-source tool to automatically create bidirectional links between your Obsidian notes. Boost your knowledge management workflow.” —Obsidian Notes Linker is a new open-source project designed to help users of Obsidian, a popular markdown-based note-taking app, to automatically link their markdown files. This tool is written in Python and is available on GitHub for anyone to use and contribute to.

Project can be found on Github Obsidian Linker

Features

• Automatic Linking: The tool scans your markdown files and automatically creates links between notes based on their content.
• Efficient: Handles large collections of notes quickly and efficiently.
• Uses Wikilink Format: Links are created using the Wikilink format, which is compatible with Obsidian.
• Skip Links in Metadata: The tool intelligently skips linking within metadata sections of your notes.
• Skip Links in Codeblocks and Inline Code: Ensures that links are not created within code blocks or inline code, preserving the integrity of your code snippets.

Installation

To install the Obsidian Notes Linker, you can clone the repository from GitHub and install the required dependencies:

git clone https://github.com/arshad115/obsidian-linker.git
cd obsidian-linker
pip install -r requirements.txt

Usage

To use the tool, simply run the following command in your terminal:

python obsidianlinker.py /path/to/vault/

This will scan your notes and add links where appropriate.

Example

I ran the obsidian linker on my digital garden with 430 markdown notes and it added 17,191 links. I had not linked notes except for the ones in one folder and it did an amazing job of making the graph travel easy and it just looks beautiful!

Before Linking

After Linking

Warning: Make sure to back up your vault before using this tool, as it can make irreversible edits.

Contributing

Contributions are welcome! If you have any ideas for new features or improvements, feel free to open an issue or submit a pull request on Obsidian Linker GitHub.

Conclusion

Obsidian Notes Linker is a powerful tool for anyone looking to enhance their note-taking experience in Obsidian. By automating the process of linking notes, it saves time and helps you create a more interconnected and useful knowledge base. Check out the project on GitHub and start linking your notes today!

To monitor Jenkins with Prometheus, we need to expose Jenkins metrics. Jenkins has a built-in Prometheus metrics endpoint that we can enable.

Install Prometheus Metrics Plugin

1. Go to Jenkins Dashboard → Manage Jenkins → Manage Plugins
2. Search for “Prometheus metrics” plugin
3. Install and restart Jenkins

Configure Prometheus Metrics

After installation, Jenkins will automatically expose metrics at:

http://your-jenkins-url/prometheus/

Access Metrics Endpoint

You can verify the metrics are being exposed by visiting:

curl http://localhost:8080/prometheus/

You should see output like:

# HELP jenkins_builds_duration_milliseconds_summary Build times in milliseconds
# TYPE jenkins_builds_duration_milliseconds_summary summary
jenkins_builds_duration_milliseconds_summary{quantile="0.5",} 1234.0
jenkins_builds_duration_milliseconds_summary{quantile="0.95",} 5678.0

Configure Prometheus to Scrape Jenkins

Add Jenkins as a target in your prometheus.yml:

global:
  scrape_interval: 15s

scrape_configs:
  - job_name: 'jenkins'
    static_configs:
      - targets: ['localhost:8080']
    metrics_path: '/prometheus'
    scrape_interval: 5s

Key Jenkins Metrics

The plugin exposes various useful metrics:

• Build Metrics: jenkins_builds_duration_milliseconds_summary
• Job Metrics: jenkins_job_count_total
• Queue Metrics: jenkins_queue_size_value
• Node Metrics: jenkins_node_count_value
• Executor Metrics: jenkins_executor_count_value

Restart Prometheus

After updating the configuration:

docker restart prometheus

Verify in Prometheus UI

1. Open Prometheus UI at http://localhost:9090
2. Go to Status → Targets
3. Verify Jenkins target is “UP”
4. Query some metrics like jenkins_builds_duration_milliseconds_summary

Grafana Dashboard

Import Jenkins dashboard ID 9964 from Grafana’s dashboard repository for pre-built Jenkins visualizations.

To monitor SonarQube metrics with Prometheus, we can use the SonarQube Prometheus Exporter plugin or the built-in web API metrics endpoint.

Method 1: SonarQube Prometheus Exporter Plugin

Install the Plugin

1. Download the SonarQube Prometheus Exporter plugin from GitHub
2. Place the JAR file in $SONARQUBE_HOME/extensions/plugins/
3. Restart SonarQube

Access Metrics

The plugin exposes metrics at:

http://localhost:9000/api/prometheus/metrics

Method 2: Using SonarQube Web API

SonarQube provides built-in APIs that can be scraped by Prometheus using custom exporters.

Key SonarQube Metrics APIs

• System Health: /api/system/health
• Project Statistics: /api/measures/component
• Quality Gates: /api/qualitygates/project_status
• Issues: /api/issues/search

Configure Prometheus to Scrape SonarQube

Add SonarQube to your prometheus.yml:

scrape_configs:
  - job_name: 'sonarqube'
    static_configs:
      - targets: ['localhost:9000']
    metrics_path: '/api/prometheus/metrics'
    scrape_interval: 30s
    basic_auth:
      username: 'your-sonarqube-token'
      password: ''

Custom Exporter Script

If the plugin isn’t available, create a custom Python exporter:

#!/usr/bin/env python3
import requests
import time
from prometheus_client import start_http_server, Gauge

# SonarQube connection
SONARQUBE_URL = "http://localhost:9000"
TOKEN = "your-sonarqube-token"

# Prometheus metrics
lines_of_code = Gauge('sonarqube_lines_of_code', 'Lines of code', ['project'])
bugs = Gauge('sonarqube_bugs', 'Number of bugs', ['project'])
vulnerabilities = Gauge('sonarqube_vulnerabilities', 'Number of vulnerabilities', ['project'])
code_smells = Gauge('sonarqube_code_smells', 'Number of code smells', ['project'])

def collect_metrics():
    # Get projects
    projects_url = f"{SONARQUBE_URL}/api/projects/search"
    response = requests.get(projects_url, auth=(TOKEN, ''))
    
    for project in response.json()['components']:
        project_key = project['key']
        
        # Get metrics for each project
        metrics_url = f"{SONARQUBE_URL}/api/measures/component"
        params = {
            'component': project_key,
            'metricKeys': 'ncloc,bugs,vulnerabilities,code_smells'
        }
        
        metrics_response = requests.get(metrics_url, params=params, auth=(TOKEN, ''))
        measures = metrics_response.json()['component']['measures']
        
        for measure in measures:
            metric_key = measure['metric']
            value = float(measure['value'])
            
            if metric_key == 'ncloc':
                lines_of_code.labels(project=project_key).set(value)
            elif metric_key == 'bugs':
                bugs.labels(project=project_key).set(value)
            elif metric_key == 'vulnerabilities':
                vulnerabilities.labels(project=project_key).set(value)
            elif metric_key == 'code_smells':
                code_smells.labels(project=project_key).set(value)

if __name__ == '__main__':
    start_http_server(8000)
    while True:
        collect_metrics()
        time.sleep(60)

Run the Custom Exporter

python3 sonarqube_exporter.py

Update Prometheus Configuration

scrape_configs:
  - job_name: 'sonarqube-custom'
    static_configs:
      - targets: ['localhost:8000']
    scrape_interval: 60s

Key SonarQube Metrics

Monitor these important metrics:

• Lines of Code (ncloc)
• Bugs (bugs)
• Vulnerabilities (vulnerabilities)
• Code Smells (code_smells)
• Coverage (coverage)
• Duplicated Lines (duplicated_lines_density)
• Technical Debt (sqale_index)

Grafana Dashboard

Create dashboards to visualize:

• Code quality trends over time
• Project comparison matrices
• Quality gate success rates
• Technical debt accumulation

This setup provides comprehensive monitoring of your code quality metrics alongside your infrastructure monitoring.

SonarQube provides continuous inspection of code quality through static analysis. Let’s integrate it with Jenkins for automated code quality checks.

Run SonarQube with Docker

Start SonarQube using Docker:

docker run -d --name sonarqube \
  -p 9000:9000 \
  -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
  sonarqube:latest

Wait for SonarQube to start (check logs with docker logs sonarqube), then access it at http://localhost:9000

Default credentials: admin/admin (change on first login)

Install SonarQube Scanner Plugin in Jenkins

1. Go to Jenkins Dashboard → Manage Jenkins → Manage Plugins
2. Search for “SonarQube Scanner” plugin
3. Install and restart Jenkins

Configure SonarQube Server in Jenkins

1. Navigate to Manage Jenkins → Configure System
2. Scroll to “SonarQube servers” section
3. Click “Add SonarQube”
4. Configure:
   • Name: SonarQube
   • Server URL: http://localhost:9000
   • Server authentication token: (generate in SonarQube)

Generate SonarQube Token

1. Login to SonarQube (http://localhost:9000)
2. Go to User → My Account → Security
3. Generate a new token
4. Copy the token for Jenkins configuration

Add Token to Jenkins

1. In Jenkins SonarQube configuration, click “Add” next to Server authentication token
2. Select “Secret text”
3. Paste the SonarQube token
4. Give it an ID like sonarqube-token

Configure SonarQube Scanner

1. Go to Manage Jenkins → Global Tool Configuration
2. Scroll to “SonarQube Scanner”
3. Click “Add SonarQube Scanner”
4. Name: SonarQube Scanner
5. Install automatically from Maven Central

Create Pipeline with SonarQube Analysis

pipeline {
    agent any
    
    environment {
        SCANNER_HOME = tool 'SonarQube Scanner'
    }
    
    stages {
        stage('Checkout') {
            steps {
                checkout scm
            }
        }
        
        stage('SonarQube Analysis') {
            steps {
                withSonarQubeEnv('SonarQube') {
                    sh '''
                        $SCANNER_HOME/bin/sonar-scanner \
                        -Dsonar.projectKey=my-project \
                        -Dsonar.sources=. \
                        -Dsonar.host.url=http://localhost:9000 \
                        -Dsonar.login=$SONAR_AUTH_TOKEN
                    '''
                }
            }
        }
        
        stage('Quality Gate') {
            steps {
                timeout(time: 1, unit: 'HOURS') {
                    waitForQualityGate abortPipeline: true
                }
            }
        }
    }
}

Project-specific Configuration

Create sonar-project.properties in your project root:

sonar.projectKey=my-project-key
sonar.projectName=My Project
sonar.projectVersion=1.0
sonar.sources=src
sonar.language=java
sonar.sourceEncoding=UTF-8

Quality Gates

SonarQube Quality Gates ensure code meets quality standards before deployment. Configure thresholds for:

• Code coverage
• Duplicated lines
• Maintainability rating
• Reliability rating
• Security rating

The pipeline will fail if quality gate conditions aren’t met, preventing poor quality code from being deployed.

We want to use a Kubernetes Cluster with Jenkins, so that Jenkins can fire up slaves in the cluster as required and perform the pipeline tasks. Instead of paying a lot of money for the Kubernetes Cluster, we will set it up locally using Kind.

Kubernetes Kind

Install

Install Kind with Homebrew:

brew install kind

Setup the Cluster

Create a yaml config file called kind-config.yaml for kind:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  # WARNING: It is _strongly_ recommended that you keep this the default
  # (127.0.0.1) for security reasons. However it is possible to change this.
  apiServerAddress: "127.0.0.1"
  # By default the API server listens on a random open port.
  # You may choose a specific port but probably don't need to in most cases.
  # Using a random port makes it easier to spin up multiple clusters.
  apiServerPort: 53850

Create the cluster with kind-config.yaml file:

kind create cluster --config kind-config.yaml

Verify the cluster:

kubectl cluster-info --context kind-kind

In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Create Namespace jenkins:

kubectl create namespace jenkins

A ServiceAccount will allow Jenkins to spin up the required slave pods as needed. Create a ServiceAccount named jenkins:

kubectl create serviceaccount jenkins --namespace=jenkins

Create a token for the ServiceAccount created above, this token will be used in the Jenkins for authentication:

kubectl create token jenkins --duration=999999h --namespace=jenkins

Copy this token, we will use it later in Jenkins.

Create admin role for the ServiceAccount:

kubectl create rolebinding jenkins-admin-binding --clusterrole=admin --serviceaccount=jenkins:jenkins --namespace=jenkins

Kubernetes cluster is setup to be used in Jenkins now.

Jenkins Setup

Now we’ll configure Jenkins to use our Kubernetes cluster for dynamic agent provisioning.

Install the Kubernetes Plugin

1. Go to Jenkins Dashboard → Manage Jenkins → Manage Plugins
2. Search for “Kubernetes” plugin and install it
3. Restart Jenkins if required

Configure Kubernetes Cloud

1. Navigate to Manage Jenkins → Configure System
2. Scroll down to “Cloud” section and click “Add a new cloud” → “Kubernetes”
3. Configure the following settings:

Kubernetes Cloud Details:

• Name: kubernetes
• Kubernetes URL: https://127.0.0.1:53850 (from our Kind cluster)
• Kubernetes Namespace: jenkins
• Credentials: Add → Jenkins → Secret text
  • Secret: (paste the token we created earlier)
  • ID: kubernetes-token
  • Description: Kubernetes ServiceAccount Token

Test Connection: Click “Test Connection” to verify the setup.

Create Pod Template

In the same Kubernetes cloud configuration:

1. Scroll down to “Pod Templates” and click “Add Pod Template”
2. Configure:
   • Name: jenkins-agent
   • Namespace: jenkins
   • Labels: jenkins-agent
   • Usage: “Use this node as much as possible”

Container Template:

• Name: jnlp
• Docker Image: jenkins/inbound-agent:latest
• Working Directory: /home/jenkins/agent
• Command to run: (leave empty)
• Arguments to pass: (leave empty)

Volume Mounts: Add if needed for Docker-in-Docker or specific tools.

Test Dynamic Agent

Create a simple pipeline to test:

pipeline {
    agent {
        kubernetes {
            label 'jenkins-agent'
        }
    }
    stages {
        stage('Test') {
            steps {
                sh 'echo "Running on Kubernetes agent"'
                sh 'kubectl version --client'
            }
        }
    }
}

The Jenkins agent pod will be created automatically in the Kubernetes cluster when the pipeline runs and destroyed after completion.

Verification

• Check pods in the jenkins namespace: kubectl get pods -n jenkins
• Monitor Jenkins logs for any connection issues
• Verify agents are created and destroyed dynamically

This setup provides scalable, on-demand Jenkins agents using Kubernetes resources efficiently.